ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Short Video Writer

v1.0.0

AI-powered tool to generate tailored short video scripts for platforms like TikTok, Bilibili, and live streams with style and format customization.

0· 41·1 current·1 all-time
by@bingze00000
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and SKILL.md all consistently describe generating short-video scripts for multiple platforms. However _meta.json lists a requirement of "openai" while the skill package (registry metadata and SKILL.md) does not declare any required environment variables or a primary credential. If the skill actually calls the OpenAI API it should declare the corresponding API key/token requirement.
Instruction Scope
SKILL.md contains only template commands and examples for generating scripts, batch generation, supported platforms, output formats, and an example output directory (./scripts). It does not instruct the agent to read unrelated system files, harvest credentials, or transmit data to unknown endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written at install time.
!
Credentials
The bundle claims no required env vars in the registry metadata, but _meta.json lists "requirements": ["openai"]. That implies the skill may expect an OpenAI API key or platform-provided model access; the lack of an explicit declared env var (e.g., OPENAI_API_KEY) is a mismatch and should be clarified. No other credentials or unrelated env access are requested in SKILL.md.
Persistence & Privilege
The skill does not request always:true and has no install-time actions. It does indicate writing outputs (e.g., ./scripts) which is a normal behavior for a generator and not a persistence escalation.
What to consider before installing
This skill appears to be what it says (a short-video script generator) but there is an inconsistency: the internal metadata lists "openai" as a requirement while the package doesn't declare any API key or env var. Before installing or granting credentials, ask the publisher: (1) does the skill call OpenAI or another remote API, and which environment variable or credential will it require; (2) where are generated outputs written and can you control the output path; (3) is any user content sent to third-party endpoints beyond your platform. Don't hand over API keys or secrets until the above is clarified. If possible, test the skill in a sandbox environment or with a limited/throwaway API key and verify its behavior and privacy practices. Also note the package metadata indicates a paid product (29 CNY) and an author handle; verify the source/trustworthiness before purchase.

Like a lobster shell, security has layers — review code before you run it.

latestvk9709d55vz37gbdjcdjzjrcckh83t60j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments